mirror of
https://github.com/moparisthebest/xeps
synced 2024-11-25 10:42:19 -05:00
Added information about OMEMOKeyExchange and the key exchange flow
This commit is contained in:
parent
928d6ffd63
commit
f60fdbec98
28
xep-0384.xml
28
xep-0384.xml
@ -182,6 +182,9 @@
|
|||||||
<di><dt>associated data</dt><dd>The associated data is created by concatenating the identity keys of Alice and Bob: <tt>AD = Encode(IK_A) || Encode(IK_B)</tt></dd></di>
|
<di><dt>associated data</dt><dd>The associated data is created by concatenating the identity keys of Alice and Bob: <tt>AD = Encode(IK_A) || Encode(IK_B)</tt></dd></di>
|
||||||
<di><dt>XEdDSA</dt><dd>To reduce the amount of bytes that have to be transferred, the key exchange uses <link url="https://signal.org/docs/specifications/xeddsa/">XEdDSA</link> on curves X25519/Ed25519 (aka XEd25519) to derive signing keys from encryption keys.</dd></di>
|
<di><dt>XEdDSA</dt><dd>To reduce the amount of bytes that have to be transferred, the key exchange uses <link url="https://signal.org/docs/specifications/xeddsa/">XEdDSA</link> on curves X25519/Ed25519 (aka XEd25519) to derive signing keys from encryption keys.</dd></di>
|
||||||
</dl>
|
</dl>
|
||||||
|
<p>
|
||||||
|
The key exchange is done just-in-time when sending the first message to a device. Thus, each key exchange message always also contains encrypted content as produced by the double ratchet algorithm below.
|
||||||
|
</p>
|
||||||
</section2>
|
</section2>
|
||||||
<section2 topic='Double Ratchet' anchor='protocol-double_ratchet'>
|
<section2 topic='Double Ratchet' anchor='protocol-double_ratchet'>
|
||||||
<p>NOTE: <tt>OMEMOMessage.proto</tt>, <tt>OMEMOAuthenticatedMessage.proto</tt> and <tt>OMEMOKeyExchange.proto</tt> refer to the protobuf structures as defined <link url="#protobuf-schema">here</link>.</p>
|
<p>NOTE: <tt>OMEMOMessage.proto</tt>, <tt>OMEMOAuthenticatedMessage.proto</tt> and <tt>OMEMOKeyExchange.proto</tt> refer to the protobuf structures as defined <link url="#protobuf-schema">here</link>.</p>
|
||||||
@ -210,6 +213,16 @@
|
|||||||
</ol>
|
</ol>
|
||||||
</dd></di>
|
</dd></di>
|
||||||
</dl>
|
</dl>
|
||||||
|
<p>
|
||||||
|
If encrypting this message required a key exchange, the X3DH key exchange header data is placed into a new <tt>OMEMOKeyExchange.proto</tt> structure together with the <tt>OMEMOAuthenticatedMessage.proto</tt> structure.
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
To account for lost and out-of-order messages during the key exchange, <tt>OMEMOKeyExchange.proto</tt> structures are sent until a response by the recipient confirms that the key exchange was successfully completed. To do so, the X3DH key exchange header data is stored and added on each subsequent message until a response is received. This looks roughly as follows:
|
||||||
|
</p>
|
||||||
|
<ol>
|
||||||
|
<li>The first content is encrypted for a new recipient. This results in an X3DH header and a <tt>OMEMOAuthenticatedMessage.proto</tt> structure. Both are packed into an <tt>OMEMOKeyExchange.proto</tt> structure. The X3DH header is stored for following messages.</li>
|
||||||
|
<li>A second message is encrypted for the same recipient. This results in only a <tt>OMEMOAuthenticatedMessage.proto</tt> structure, as a new key exchange is not required. Together with the X3DH header that was stored in the previous step, an <tt>OMEMOKeyExchange.proto</tt> structure is constructed and sent to the recipient.</li>
|
||||||
|
</ol>
|
||||||
</section2>
|
</section2>
|
||||||
<section2 topic='Message Encryption' anchor='protocol-message_encryption'>
|
<section2 topic='Message Encryption' anchor='protocol-message_encryption'>
|
||||||
<p>
|
<p>
|
||||||
@ -471,23 +484,12 @@
|
|||||||
</section1>
|
</section1>
|
||||||
<section1 topic='Implementation Notes' anchor='impl'>
|
<section1 topic='Implementation Notes' anchor='impl'>
|
||||||
<!-- TODO: I think this is still true? -->
|
<!-- TODO: I think this is still true? -->
|
||||||
<p>
|
<!-- TODO: Write something about trust here -->
|
||||||
The SignalProtocol-library uses a trust model that doesn't work very well with
|
|
||||||
OMEMO. For this reason it may be desirable to have the library consider all
|
|
||||||
keys trusted, effectively disabling its trust management. This makes it
|
|
||||||
necessary to implement trust handling oneself.
|
|
||||||
</p>
|
|
||||||
</section1>
|
</section1>
|
||||||
<section1 topic='Security Considerations' anchor='security'>
|
<section1 topic='Security Considerations' anchor='security'>
|
||||||
<p>Clients MUST NOT use a newly built session to transmit data without user intervention. If a client were to opportunistically start using sessions for sending without asking the user whether to trust a device first, an attacker could publish a fake device for this user, which would then receive copies of all messages sent by/to this user. A client MAY use such "not (yet) trusted" sessions for decryption of received messages, but in that case it SHOULD indicate the untrusted nature of such messages to the user.</p>
|
<p>Clients MUST NOT use a newly built session to transmit data without user intervention. If a client were to opportunistically start using sessions for sending without asking the user whether to trust a device first, an attacker could publish a fake device for this user, which would then receive copies of all messages sent by/to this user. A client MAY use such "not (yet) trusted" sessions for decryption of received messages, but in that case it SHOULD indicate the untrusted nature of such messages to the user.</p>
|
||||||
<p>When prompting the user for a trust decision regarding a key, the client SHOULD present the user with a fingerprint in the form of a hex string, QR code, or other unique representation, such that it can be compared by the user.</p>
|
<p>When prompting the user for a trust decision regarding a key, the client SHOULD present the user with a fingerprint in the form of a hex string, QR code, or other unique representation, such that it can be compared by the user. TODO: consistent color foo</p>
|
||||||
<p>While it is RECOMMENDED that clients postpone private key deletion until after MAM catch-up and this standards mandates that clients MUST NOT use duplicate-PreKey sessions for sending, clients MAY delete such keys immediately for security reasons. For additional information on potential security impacts of this decision, refer to <note>Menezes, Alfred, and Berkant Ustaoglu. "On reusing ephemeral keys in Diffie-Hellman key agreement protocols." International Journal of Applied Cryptography 2, no. 2 (2010): 154-158.</note>.</p>
|
<p>While it is RECOMMENDED that clients postpone private key deletion until after MAM catch-up and this standards mandates that clients MUST NOT use duplicate-PreKey sessions for sending, clients MAY delete such keys immediately for security reasons. For additional information on potential security impacts of this decision, refer to <note>Menezes, Alfred, and Berkant Ustaoglu. "On reusing ephemeral keys in Diffie-Hellman key agreement protocols." International Journal of Applied Cryptography 2, no. 2 (2010): 154-158.</note>.</p>
|
||||||
<p>
|
|
||||||
In order to be able to handle out-of-order messages, the SignalProtocol stack has to
|
|
||||||
cache the keys belonging to "skipped" messages that have not been seen yet.
|
|
||||||
It is up to the implementor to decide how long and how many of such keys to
|
|
||||||
keep around.
|
|
||||||
</p>
|
|
||||||
</section1>
|
</section1>
|
||||||
<section1 topic='IANA Considerations' anchor='iana'>
|
<section1 topic='IANA Considerations' anchor='iana'>
|
||||||
<p>This document requires no interaction with the Internet Assigned Numbers Authority (IANA). </p>
|
<p>This document requires no interaction with the Internet Assigned Numbers Authority (IANA). </p>
|
||||||
|
Loading…
Reference in New Issue
Block a user